Encryption per se does not protect against modification, I am aware of that. That is even more true for disk encryption where the encrypted data block has to fit into the physical disk block, so there is no room for a MAC or signature. However, in combination with a filesystem like btrfs which checksums everything, it is providing some protection, even though it was not designed for that purpose.
Apart from the fact that UEFI Secure Boot is an overly complex monster which is basically broken[1] by design, my understanding of it is also that it does not protect configs, initramfs etc. in /boot. It only protects the kernel image and loaded modules. [1] https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ In addition, files in /boot like the initrd are generated individually and may contain files not limited to what someone puts into /boot intentionally. In contrast to /boot/efi, /boot does not only contain static files delivered by the distribution. Regards Stephan
